Technology and Risk in The Legal Profession
As a provider of legal services, the solicitors’ profession has come a long way in adopting the latest technology as a tool to assist in the delivery of legal services for processing the work to be done and communicating with clients and others. This article will consider the opportunities and risks attached to an ever increasing reliance upon technology in the solicitor’s market sector.
The rise of technology has gathered a pace in the legal profession and for all of us generally, in the last 25 years. At that time, we saw the rise of the PC network and the arrival of Windows based operating systems. Prior to then, solicitors had quickly progressed from manual to electric to electronic typewriters. The 80s saw the arrival of memory typewriters and then move on to external storage with disk drives and floppy disks. Word processors took us into the 90s and then onto the PC. The Data Protection Act was still some way off at that time and client confidentiality was essentially about what we said and how we stored confidential papers. Now we are challenged by the data we store digitally internally on our own server or externally on a “cloud”. At the same time, we have the challenge of the communication revolution bought about by the power of the Internet. It is 20 years since we talked about the “information super-highway”, what it was and whether it had a future!
Today the world is a small place thanks largely to technology. We are in touch with the whole world through a small hand held device, the smart phone. Unfortunately, with opportunity comes risk, certainly when it comes to technology. However, the reality is that we could not live without it. Could you deliver your legal services profitably with just a landline and a standalone work processor or PC? Think of a world with no internet and no smart phone?
If each client matter is a project, the lawyer is a project manager and case management has always existed albeit informal and originally paper-based. Technology has allowed standardisation for a significant amount of what we do and computerised case management has systemised this further. Indeed, in some areas of legal services, computerised case management is the only way services can be delivered profitably.
The first area of risk to consider is the strategic risk of not having the right technology in place and using it effectively. Even today, there are many law firms who have invested in sophisticated technology and use it as no more than an expensive typewriter. There are firms using very old analogue technology for dictation rather than digital dictation or speech recognition software. I might enquire as to why these firms are doing dictation at all? This leads us to the other area of strategic risk in that we often look for technology to help us to do what we do but better rather than looking for new and more efficient ways of working. Technology is operational but it must be considered strategically and will require on-going investment. Unfortunately, many law firms, and not necessarily small ones, are in catch-up mode and run the risk of being left behind in a changing market place.
With opportunities come risks. Law firms are data controllers and therefore must register with the Information Commissioner. We are responsible for many “information assets” that contain confidential data both on paper and in digital form. Client confidentiality is sacrosanct. Unfortunately, criminals want to access our data because they want to steal it for criminal activity e.g. sell it on to others or they to access our Office and Client account e.g. to steal money. This activity is happening daily.
Running alongside the issue of data security is compliance beyond the Data Protection Act. The SRA, through the Handbook, imposes various responsibilities upon us, through the COLP & COFA, with regard to client confidentiality and data protection. Principle 10 states that we must protect client money and assets whilst Chapter 4: Confidentiality & Disclosure includes Outcomes about keeping client’s affairs confidential. Further, Chapter 7, Management of your Business, Outcome 10 refers to outsourcing and the responsibilities on the firm with regard to trusting a 3rd party with your confidential data. There is no doubt that cloud computing provides a cost effective solution to accessing the latest technology and data storage. However, we have a duty to carry out due diligence of the cloud provider. This starts with asking: “where is the cloud?”
Discussions about data security usually include the words and terms: firewall, anti-virus, passwords, encryption. To this list must be added: awareness and training. The fraudsters target the vulnerable. Everyone in the firm should have a consistent level of awareness and training on the dangers of cyber-crime and the measures taken to combat the likelihood of a risk becoming a reality. This should not be a one-off exercise, it should be repeated and refreshed.
Firms should consider the government backed Cyber Essentials scheme. For free downloads, firms should visit: www.cyberstreetwise.com/cyberessentials/ as a tool to help them to tackle cyber-crime.
White Hats – v – Black Hats
Consideration might be given to using the services of a “White Hatters” or “Ethical Hackers”. These experts will, at your invitation, attempt [and probably succeed] in hacking into your system and then make recommendations on how you can stop unethical hackers [“Black Hats”] getting into your system. Some might say that such services are expensive but what cost an unsecure system that leads to significant financial loss and reputational damage?
More and more firms have adopted flexible, remote or agile working. This usually involves accessing the firm’s information assets from outside the office usually via WiFi. Security on firm provided devices such as laptops, tablets and smart phones comes into much sharper focus with remote working. Another issue is the security of systems accessed by an employee’s own device [Bring Your Own Device or BYOD]. In this context, beware of the “Man in the Middle” attack. Attempted data breaches are happening daily in law firms. Remote access heightens the risk of breaches many fold. Everyone should be wary of accessing systems via WiFi in public places for fear of the man-in-the-middle attacks. Cyber criminals frequent the likes of well know coffee houses waiting to intercept those enjoying a cappuccino whilst they log into the office or carry out some personal online banking.
Email has long been a source of risk for law firms as it became the often preferred method of communication with clients and 3rd parties. Sent and received largely unchecked, unlike traditional paper post, emails presents risks on several levels. The very features of email that make it so attractive [quick and inexpensive] make it a risky method of communication. Emails are easily cloned or intercepted.
Handy hits about using emails.
Always check who you are sending to. Is the address correct, particularly when several addresses pop up as you type in the first few characters of the intended recipient? Type this in after you have typed the body of the email. This gives you the opportunity to check the address is correct. Be wary of “Reply to All”. It is quick and may be the default but check the circulation list and decide if you want everyone to receive your reply. Consider whether to use “Reply” at all and use “New” instead. If nothing else, this will save a great deal of paper if you are in the practice of printing off your emails including the trail behind the last one! If you always use “Reply”, you will be creating a long trail during on-going correspondence. This may cause problems or at least embarrassment, if you forgot the content of emails sent or received earlier in the trail or you add new recipients along the way. Remember, you have no control over what the recipient does with your emails once they receive it. You don’t know who has been “blind copied”.
Many of the measures that should be taken against cyber-crime are basic [see Cyber Essentials]. For example, a robust password protocol will help. The most commonly used password on a device in a law firm is “password” followed by “123456”. Passwords should be random and not easily traceable to the user i.e. not their name! Passwords should contain upper and lower case letters and numbers and they should be changed regularly.
Automatic updates should be switched on and not ignored when the pop-up appears to tell you that updates are available. Many of the updates are virus updates and security fixes.
There are implications in all of this for your indemnity insurance. Some underwriters are uneasy about the prospect of claims arising out of cyber-crime with one pulling out of the market already and others considering their position. One of the largest underwriters in the legal market, QBE says its research shows that around “£85m has been stolen across the legal market in the last 18 months”. [Law Society Gazette, 11th April 2016].
This article is just a taster of the types or risk attached to technology in the legal profession both strategic and operational. There are other issues to consider and many that cannot be ignored. Cyber-crime in the UK is estimated to be worth around £27bn. The City of London Police Commissioner in April 2015 said that cyber-crime could be bigger than the drug trade. Adopting the right technology for your firm can bring about real opportunities but also risks. Get the right defences in place, keep them up to date and train all of your people regularly and keep them up to date.